Discovery basics

Discovery basics

Discovery basics

Discovery finds
computers, servers, printers, and a variety of IP-enabled devices, and the applications
that run on them. It can then update the CIs in your CMDB with the data it
collects.

Horizontal discovery and top-down discovery

There are actually two types of discovery:

Horizontal discovery

The Discovery application performs horizontal discovery, which means
that it finds devices on your network and several attributes about those devices
including the operating system, software, memory, and so on. It can also establish
relationships between the applications and the device, and between applications. But
it does not draw relationships between CIs that are part of specific business
services.

Top-down discovery

Top-down discovery, which is a technique used by Service Mapping, finds and maps
CIs that are part of business services in your organization, such as an email
service. Service Mapping actually utilizes horizontal discovery to find devices in
the scanning and classification phases, and top-down discovery to map business
services.

Note: Both Discovery and Service Mapping can use the same pattern; however, you define steps
in the pattern differently for the two applications.

Planning for discovery

This video provides an overview of the horizontal discovery process.

What is Discovery

Probes, sensors, and patterns

Discovery uses these components to
explore computers and devices (which are also known as hosts):

Probes and sensors

Probes and sensors are scripts that collect data on the host, process it, and update the
CMDB. Several probes and sensors are provided out of box, but you can also customize them and
create custom ones. You can also configure parameters to control the behavior of a particular
probe every time it is triggered. A base set of probes and sensors is always used in the
first two stages of Discovery. If you are not using patterns, additional probes and sensors
are used to identify and explore hosts and the software that runs on them (see Discovery
phases).

Patterns

Patterns are a series of operations that also collect data on a host, process it, and
update the CMDB, just as probes and sensors do. Patterns differ from probes and
sensors in that they are written in Neebula Discovery Language (NDL) rather than
JavaScript, and they are called into action during the last two phases of Discovery.
Default patterns are provided, but you can customize or create new patterns using the
Pattern Designer. See Create or modify patterns.

Discovery sends the Shazzam probe to the network to see if specified ports are
open on the network and if they can respond to queries. For example, if Shazzam
finds a device that responds on port 135, Discovery knows that it is a Windows
server.

Classification

If Discovery finds devices, it continues to send probes to find the type of
device at each IP address. For example, Discovery sends the WMI probe to detect
Windows 2012 running on a Windows device. Classifiers specify which trigger probes
to run for identification and exploration.

Identification

Discovery tries to gather more information about the device, looks at those
attributes to determine if a CI for the device exists in the CMDB, and then
reconciles that information by either updating the CI or creating a new one.
Discovery uses additional probes, sensors, and identifiers to do this.
Identifiers, also known as identification rules, specify the attributes that the
probes look at when reconciling data with the CIs in the CMDB. If you are using
patterns, Discovery uses the appropriate identification rule for the CI type
specified in the pattern.

Exploration

The identifier in the previous step (Identification) launches the exploration
probes configured in the classification record to gather additional information
about the device, like the applications running on the device, and device
attributes, such as memory, network cards, and drivers. Discovery then maps
applications to devices and to other applications. In this phase, Discovery also
uses additional probes and sensors that are hard-coded to find this additional
information. If you are using a pattern, the operations in the pattern perform the
exploration of the CI.

Discovery and MID Servers

Discovery uses special server processes, called MID Servers. Each MID server is a lightweight
Java process that can run on a Linux, Unix, or Windows server. The job of the MID server
during Discovery is to execute probes and patterns, and then return the results back to the
instance for processing. It does not retain any information.

MID servers communicate with the instance they are associated with by a simple model: They
query the instance for the initial probes to run, and they post the results back to the
instance. There, the data collected by the probes is processed by sensors, which decide how to
proceed. Optionally, if you use patterns, the operations in the patterns decide how to proceed.
The MID server starts all communications, using SOAP on HTTPS, which means that all
communications are secure, and all communications are initiated inside the enterprise's
firewall. No special firewall rules or VPNs are required.

Discovery is agentless, meaning that it does not require any permanent software to be
installed on any computer or device to be discovered. The MID server uses several techniques to
probe devices without using agents. For example, the MID server uses SSH to connect to a Unix or
Linux computer, and then run a standard command (such as uname or df) to gather information.
Similarly, it uses the Simple Network Management Protocol (SNMP) to gather information from a
network switch or a printer.

In addition to the MID Server, you need:

IP addresses

The address or addresses to query on the network. You configure these on the Discovery
schedule.

Credentials

The access credentials for the devices that you intend Discovery to collect data
on.

IP service affinity

IP Service affinity saves the IP service information that is used to successfully find a
device and associates it with the IP address of the device. Using this information, Discovery
can target the device in subsequent runs with the accurate protocol. Discovery records the IP
Service along with the IP address. Discovery can store the successful IP service information in
the IP Service Affinity table [ip_service_affinity].

For example: A network device has both an SSH port and an SNMP port open. By its agentless
design, Discovery tries SSH first. However, network devices should be discovered through
SNMP. Discovery tries the SSH probe and it fails. This triggers the SNMP probe, which
succeeds. With the association between the IP address and the IP service, subsequent
discovery runs that target this IP address use SNMP first, because that is the probe that
succeeded.

Discovery communications

Discovery communications cover how your instance talks to the MID Servers and how the MID
Servers talk to your devices. The MID Server is installed on the local internal network. All
communications between the MID Server and the instance are done via SOAP over HTTPS. Since we
use the highly secure and common protocol HTTPS, the MID Server can connect to the instance
directly without having to open any additional ports on the firewall. The MID Server can also be
configured to communicate through a proxy server if certain restrictions apply.

The MID Server is deployed in the internal network, so it can, with proper login credentials,
connect directly to discoverable devices.

Discovery and Help the help desk

Help the
Help Desk is a standard feature available through the self-service Help the Help Desk
application.

It gathers information, much as Discovery does, about a single Windows computer by running a script on that
computer. Discovery does many things that
Help the Help Desk cannot do.

Functionality

Discovery

Help the Help Desk

Automatic discovery by schedule

Automatic discovery on user login

Manually initiated discovery

Windows workstations

Windows servers

*

Linux systems

Unix systems (Solaris, AIX, HP-UX, Mac (OSX))

Network devices (switches, routers, UPS, etc.)

Printers

Automatic discovery of computers and devices

Automatic discovery of relationships between processes running on servers

*Returns information about Windows server machines when Discovery is installed.

The horizontal discovery process passes through the four phases of discovery using probes, which gather information on the target machine, and then sensors, which help Discovery determine what to do with that information.